0

I have a GCP VPC and it is connected to on-prem using Public Cloud Interconnect. Traffic flow between onprem and the VPC is ok. All routes and firewalls are configured correctly.

Now I would like to have the company DNS servers available for VMs in my VPC.

My 3 DNS servers are

10.17.121.30 dns-01.net.company.corp
10.17.122.10 dns-02.net.company.corp
10.17.122.170 dns-03.net.company.corp

Now I have done the below config in Cloud DNS in GCP. The DNS name is company.corp

enter image description here

The "In use by" is referring my VPC.

The IPs 10.17.121.30, 10.17.122.10 and 10.17.122.170 are on-prem and are accessible from the VPC over port 53.

But after having done all the above, if I try to connect to any on-prem machine using its name, I get

telnet: could not resolve example-server.corp.sap/443: No address associated with hostname

The above request is being made from a VM inside the VPC.

Which leads me to believe that my DNS servers might not be correctly configured. What have I missed here ?

John Hanley
  • 74,467
  • 6
  • 95
  • 159
Jason Stanley
  • 386
  • 1
  • 3
  • 20
  • Did you run a command to make the private zone visible? Example: `gcloud dns managed-zones update [private_zone_name] --networks default` – John Hanley Feb 21 '20 at 04:02
  • Note you cannot specify your companies DNS servers as resolvers for your VPC without setting up DNS forwarders. Edit your question to be clear on what you ned to do with real examples. – John Hanley Feb 21 '20 at 04:05
  • It seems the TLD doesn't match: `corp.` != `corp.sap.` – Martin Zeitler Feb 21 '20 at 04:49

1 Answers1

2

If you are intending to have your VMs able to resolve hostnames within your on-premises network, then you will need to make use of DNS forwarding. You would need to configure your private zone as a forwarding zone. Once this is done you can use your forwarding zone to query on-premises servers.

TheRovinRogue
  • 316
  • 2
  • 9
  • Is the following requirement still mandatory ? `Ensure on-premises network firewall rules that apply to the name server permit packets whose sources are in 35.199.192.0/19` – Jason Stanley Feb 24 '20 at 16:01
  • 1
    Yes, opening on-premises and VPC firewalls to ensure traffic with packet sources from 35.199.192.0/19 is required.[1][2] [1] Cloud DNS Troubleshooting - Check on-premises firewall: https://cloud.google.com/dns/docs/troubleshooting#check_on-premises_firewall [2] DNS Best practices - Open Google Cloud and on-premises firewalls to allow DNS traffic: https://cloud.google.com/dns/docs/best-practices-dns#open_and_on-premises_firewalls_to_allow_dns_traffic – TheRovinRogue Feb 24 '20 at 17:11